📈 Read the 2025 Salesforce Threat Landscape Report
Back to blog

Why cloud-first security matters: Protecting Salesforce and SaaS data from modern threats

Cyber threats have shifted to the cloud, where the most valuable data and biggest risks now live. From phishing and malicious APIs to hidden malware in customer portals, attackers target SaaS platforms like Salesforce. Traditional endpoint defenses alone aren’t enough — cloud-first security is essential to protect critical data, maintain trust, and stop threats before they spread.

Suki Ng August 27th, 2025
gainsight salesforce investigation

Your business doesn’t just run in the cloud — it depends on it.

For years, cybersecurity strategies revolved around the corporate network and the devices inside it. Firewalls, antivirus tools, and endpoint detection formed the first line of defense. But business has changed. Today, the most valuable data — and the biggest vulnerabilities — are no longer at the network’s edge. They’re in the cloud.

Adopting a cloud-first security strategy is no longer optional. Cloud platforms aren’t just productivity tools anymore — they’ve become the operational core of most organizations. For many enterprises, that means Salesforce. As the world’s leading CRM, it doesn’t just manage customer data — it connects with ERP, marketing, analytics, and AI-driven workflows. That reach makes Salesforce both indispensable — and highly attractive to attackers.

Customer data, contracts, and intellectual property all live there, which makes security in SaaS environments a matter of business resilience. When protection isn’t prioritized where this data resides, the risk isn’t just technical — it’s strategic.

Why cloud-first security starts with your core platforms

Customer records, transactions, contracts, intellectual property — for many organizations, all of it is now hosted in cloud services. That’s exactly why attackers are aiming there. Compromise a cloud environment and you’ve gained a direct route into the business.

When that happens, the damage extends far beyond the breach itself. Trust, regulatory standing, and day-to-day operations can all take a hit.

Always-on environments demand always-on protection

Cloud systems never “clock off.” They’re accessible around the clock from anywhere in the world — great for productivity, but equally attractive to cybercriminals.

  • Phishing attacks targeting CRM logins can enable long-term, stealthy access.
  • Weak or unmonitored API connections can be exploited within minutes to pull or inject malicious data.
  • Integrations without proper oversight can become silent entry points for malware.

In a world where you can’t shut the front door, detection and response must be constant.

Persistent targets, persistent risks

Endpoints change constantly — laptops get replaced, phones get upgraded, and bring-your-own-device policies add churn. But your cloud data environment is different: it’s fixed, highly valuable, and accessible.

In Salesforce, that persistence is even greater: overprivileged accounts, shadow access, and unmonitored integrations create openings that attackers can exploit. Once inside, they can extract sensitive records, manipulate workflows, or spread malicious files across partners and customers.

Upon getting access, attackers can:

  • Extract sensitive information
  • Manipulate workflows
  • Spread malicious files to employees, partners, or customers

This persistence is exactly why security strategies must address persistent cloud threats that don’t disappear when a device is replaced.

The cost of catching threats too late

It’s almost always cheaper to stop a threat at the point of entry than to contain it after the fact. In cloud environments, once a malicious file is in place, it can be:

  • Downloaded and executed locally
  • Shared across supply chain partners or customers
  • Synced into ERP, marketing, or analytics systems

By then, remediation is about more than technology — it involves compliance reporting, legal obligations, and reputational repair. Investing in cloud malware protection prevents these files from ever reaching end users or connected systems.

A shared responsibility you can’t outsource

Even with the most secure infrastructure, responsibility for what enters and moves through a cloud service sits with the customer – this is the essence of the shared responsibility model in cloud security. Salesforce secures the platform, but customers remain responsible for securing the data and workflows inside it. That includes files uploaded to cases, links shared in Chatter, or third-party app integrations that can deliver hidden threats. Without in-cloud scanning, these risks often go undetected until it’s too late.

Threats can arrive via:

  • User uploads
  • Third-party apps
  • API integrations
  • Links stored inside records or collaboration threads

Dormant malware — from PDFs with hidden code to malicious URLs — can sit unnoticed until the moment they’re triggered. In highly connected environments, one file can quickly become everyone’s problem.

A real-world example

In 2024, a retail brand discovered malware in its customer portal, embedded in PDF invoices uploaded through a cloud platform. Because the files were never scanned in the cloud, they were downloaded directly by finance staff, compromising multiple devices. The response required a portal shutdown, weeks of remediation, and a compliance review. It was a clear reminder that endpoint defenses alone aren’t enough. Incidents like this highlight the need for Salesforce-native protection that blocks threats before they reach users.

The Salesforce State of IT Security Report surveyed over 4,000 IT leaders worldwide, including more than 2,000 security specialists. Key findings included:

  • Security budgets are rising, with 75% of organizations planning increases.
  • Cloud security threats now rank alongside phishing and data poisoning as top concerns.
  • AI is both a tool and a risk, with 80% viewing it as transformative but difficult to govern.
  • Governance gaps persist, with nearly half lacking the infrastructure for safe AI adoption.

The takeaway: a cloud-first security strategy isn’t just about protecting “the cloud” in general. It’s about protecting your most business-critical SaaS environments — starting with Salesforce. By detecting and blocking threats in real time, you reduce remediation costs, preserve trust, and ensure resilience where it matters most.

Why a cloud-first approach works

By focusing protection where your most critical data actually resides, you:

  • Block threats before they spread
  • Reduce the cost and impact of remediation
  • Minimize downtime and operational disruption
  • Preserve the trust of customers and partners

With in-cloud threat detection, attacks can be stopped before they spread to endpoints or other systems. A cloud-first security strategy isn’t about abandoning traditional defenses — it’s about aligning them with the way business works today.

Suki Ng
Suki is Lead Solutions Consultant, EMEA at WithSecure, helping organizations maximize the value of Salesforce while keeping it secure. She works closely with enterprises, Salesforce teams, and global partners to understand their goals, tackle complex challenges, and deliver practical, effective solutions. Outside of work, Suki loves the outdoors and spending time with friends. A passionate foodie, she believes good food always lifts the mood. She also enjoys sports, live music, and traveling.